Mitigating Risk with Cybersecurity Insurance

By Adam Brouillet

Imagine
one of your company’s employees being tricked into clicking on a link in an
email to trigger the complete destruction of the company’s electronic files,
followed by a weeks-long forensic investigation, legal fees, bad press,
regulatory investigations, and loss of business and goodwill. The total price
tag? Maybe $200,000 if you’re lucky, or much more if you’re not.

Cybersecurity
insurance is a key way the company can mitigate these potential costs. While
technical cybersecurity measures, such as firewalls, strong passwords and
multi-factor authentication, may filter out malicious emails and prevent at
least some attackers from accessing company databases, they are not perfect
cybersecurity protections.

If a data
security incident occurs, cybersecurity insurance can cover some of the heavy
costs incurred from a suspected or actual data breach. Following are some tips
on the topic of commercial cybersecurity insurance.

Understand
the common causes and costs of a data breach.

The
appropriate cybersecurity insurance policy for a company should cover the
common causes and costs of a data breach. Common causes of a data breach
include phishing emails, business email compromise, malware and ransomware. An
ideal cybersecurity insurance policy will have language specifically providing
coverage for all of these events.

As for
common costs, the company should understand the potential costs to comply with
any legal requirements after an actual or suspected data breach. In the United
States, all fifty states, the District of Columbia, and U.S. territories Guam,
Puerto Rico and the U.S. Virgin Islands have some form of a data breach
notification law. These laws apply to companies that hold personal information
of their customers and employees. Federal laws and regulations also may apply
and generally require companies to maintain reasonable measures to safeguard personal
information. Laws outside the United States, most notably the European Union’s
General Data Protection Regulation, also require notifications in the event of
a data breach.

If the
company learns of a potential security breach that may have exposed personal
information, the company must conduct a reasonable investigation. The best
practice is to retain legal counsel, who then would retain a third-party
forensics specialist under the attorney-client or work-product privilege. The
forensic specialist would investigate the incident to determine whether there
was a data breach and, if so, to what extent. This information will enable
counsel to provide legal advice to the company on next steps.

The
company may be required to notify those individuals whose information was or
might have been accessed. The company also may be required to notify the state
attorney general, law enforcement, credit card companies, consumer reporting
agencies, or other parties as required by applicable law or contract. The
company should implement protective measures to prevent a similar incident from
happening again. The breach could lead to lawsuits by disgruntled individuals
or other business clients whose information was accessed or to investigations
by regulators concerning the company’s data privacy practices. These
consequences are costly. Without cybersecurity insurance, the company must bear
all of these costs itself.

With
these general legal requirements in mind, the company should pick an insurance
policy to cover the costs of compliance. Unfortunately, “traditional”
commercial insurance policies (liability, property, D&O, E&O, crime,
etc.) often do not cover those costs.

Do not
rely on “traditional” commercial liability insurance policies.

Companies
sometimes assume they have adequate cybersecurity insurance when, in fact, they
don’t.

Take the standard commercial general liability,
or CGL, policy, for example. CGL policies typically cover bodily injury or
accidental property damage. Data breaches do not involve bodily injury, nor are
data breaches necessarily accidental; rather, they are intentional acts by the
attackers, and CGL policies often exclude coverage for intentional or criminal
acts.

Property damage under a CGL policy is usually
damage to “tangible” property; electronic data, as “intangible” property, will
not be covered by such a policy. A grocery store learned that lesson the hard
way in a 2016 case in Alabama. The grocery store’s credit card database was
hacked, and credit card data was stolen. The grocery store sought coverage
under its CGL property policy, but the court denied coverage because credit
card data was intangible property not covered by the policy.

Other companies have experienced similar
denials of coverage under other commercial insurance policies. For example,
certain property insurance policies may cover the destruction of, or damage to,
company property. That may be good news for a company whose electronic data was
destroyed by a malware attack, unless of course the policy excludes coverage
for damage to electronic data—which is sometimes the case.

The same limitations or exclusions are in many
directors and officers, errors and omissions, and crime policies. Either they
narrowly define “claim” or other terms to limit coverage for data breaches, or
they exclude such coverage altogether.

The best way to insure against a cybersecurity
attack or data breach is to obtain a comprehensive cybersecurity insurance
policy.

Select
the appropriate cybersecurity insurance coverage.

Over the
past 20 years or so, as data breaches became more common, insurers frequently
denied coverage for data breaches under “traditional” commercial insurance
policies and instead created separate cybersecurity insurance policies.

Companies
may obtain cybersecurity insurance by purchasing an endorsement to an existing
policy or purchasing a stand-alone policy. No standard policy form has emerged,
as cybersecurity policy language varies among insurers and policies, but the
appropriate cybersecurity insurance policy for a company should cover the
common causes and costs of a data breach.

As for
common causes, the cybersecurity policy should cover:

Denial-of-service
attacks

Ransomware (extortion)

Data exfiltration or
destruction

Vendor breach

Social engineering

Stolen devices

Phishing

Brute-force attacks

Malware

Business email
compromise

As for
costs, cybersecurity policies typically provide first-party and third-party
coverages. First-party coverages cover the following common costs of a
suspected or actual data security incident:

Forensic investigation

Legal fees

Notifications to
affected individuals, regulators, and others as may be required by law or
contract

Call center to field
inquiries from affected individuals

Mailing vendor to send notification
letters

Credit monitoring for
affected individuals

Public relations
campaigns

Data repair or
restoration

Ransom payments
(extortion liability)

PCI-DSS fines

Loss of business /
business interruption

Social engineering
fraud loss (fraudulent wire instructions)

Administrative
safeguards, such as employee training and creating security and incident
response plans

Third-party
coverages cover the following potential legal claims and proceedings that can
follow a data security incident, usually on a claims-made-and-reported basis:

Civil lawsuits

Regulatory actions and
investigations (not every investigation leads to an action)

In
evaluating potential cybersecurity insurance policies, the company should
understand the amount of coverage for each potential cause of a data breach and
analyze where coverages may overlap. As a case in point, in 2016 and 2017, a
small Virginia bank was hacked, and the attacker gained administrative-level
control over the bank’s databases. The attackers removed anti-theft protections
for ATM transactions and stole more than $2 million from the bank at various
ATMs.

The
bank’s insurance policy had two relevant riders: one covering up to $8 million
in losses for the electronic theft of money except for losses from the use of
ATMs; the other covering $50,000 in losses from the use of debit cards. This
cybersecurity attack involved both an electronic hack and the use of debit cards
at ATMs. Predictably, the insurer agreed to cover only $50,000 of the bank’s
losses under the debit card rider and denied coverage under the $8 million
rider.

The
takeaway is that companies should closely scrutinize their cybersecurity risks,
identify hypothetical breach scenarios, and evaluate whether the cybersecurity
insurance policy would cover the resulting losses and costs. If not, negotiate
with the insurer for a better policy or choose another insurance company.

Selecting
the appropriate cybersecurity insurance policy requires an understanding of the
legal implications of a data breach, the limitations of “traditional”
commercial policies and the potential cybersecurity risks of the company. A
comprehensive cybersecurity insurance policy covering the common causes and
costs of a data breach is a key way to mitigate against those risks.

Adam Brouillet is a shareholder with Tampa-based Trenam Law, located in the firm’s St. Pete office. Brouillet’s practice focuses on data privacy, cybersecurity and business litigation.